Buffer overflow reported in UEFI EDK1

Firmware patching scramble begins

A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.

Bromium researcher Rafal Wojtczuk and MITRE Corp's Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.

Exploitation could be nasty if code is instantiated earlier on when booting was less secure and the SPI Flash with its firmware is accessible.

An attacker exploiting early could gain a persistent foothold in systems, Kallenberg said.

"We have discovered a buffer overflow associated with this 'reclaim' operation in FSVariable.c," Kallenberg said in a CERT advisory.

"In an ideal attacker scenario, the vulnerable code can be instantiated before the SPI flash is locked down, thus resulting in an arbitrary reflash of the platform firmware.

"Another possibility is for the attacker to leverage this vulnerability to get into SMM (if SMM is not sufficiently locked down yet), or to defeat Secure Boot and launch an authoriSed boot loader ... or to achieve a runtime SMM break-in."

Damage varied between OEM firmware implementations.

Insyde Software Corporation issued a patch for its affected firmware while other unnamed OEM were working on fixes. ®